It is no surprise with the continuing revelations of compromised security credentials and identity information that Cybersecurity rises to the near top of the list of risks a financial organization must face, identify and manage.
On November 10th, the FFIEC released updated guidance with their Examination Handbook that clearly ties an expanded level of accountability in mitigating Cybersecurity threats to the institution’s Executives and the Board of Directors. This is but the latest update as Regulators have delivered several pronouncements on Cybersecurity awareness in 2015, including a Cyber Assessment Tool released in the summer. The expectation by Regulators is that a Board understands and approves detailed strategies to protect data and proprietary information, accepting the fact that the US Government itself has demonstrated it cannot protect its most sensitive information. Clearly this fuels regulatory worry.
Placing accountability at the highest level is destined to change the risk narrative and presentation internally. From this expanded guidance for examiners, it is clear that IT Risk Management cannot be delegated to credentialed Information Security professionals on staff, or with your vendors, without oversight and detailed understanding and approval to the highest organizational levels. No more can an annually invited guest IT Manager parade an unopened book of project plans around the board table and receive acceptance without discussion or challenge. The key question is who is qualified on the Board to evaluate the organizational posture and strategy with regards to Cybersecurity risk and mitigation? Who within the Board even understands the “attack surfaces”?